DOCSLIB.ORG

AUTHENTICATED ENCRYPTION in HARDWARE by Milind M. Parelkar

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
AUTHENTICATED ENCRYPTION in HARDWARE by Milind M. Parelkar AUTHENTICATED ENCRYPTION IN HARDWARE by Milind M. Parelkar A Thesis Submitted to the Graduate Faculty of George Mason University in Partial Ful¯llment of the the Requirements for the Degree of Master of Science Electrical and Computer Engineering Committee: Dr. Kris Gaj, Thesis Director Dr. William Sutton Dr. Peter Pachowicz Andre Manitius, Chairman, Department of Electrical and Computer Engineering Lloyd J. Gri±ths, Dean, School of Information Technology and Engineering Date: Fall 2005 George Mason University Fairfax, VA Authenticated Encryption in Hardware A thesis submitted in partial ful¯llment of the requirements for the degree of Master of Science at George Mason University By Milind M. Parelkar Bachelor of Engineering University of Mumbai(Bombay), India, 2002 Director: Dr. Kris Gaj, Associate Professor Department of Electrical and Computer Engineering Fall 2005 George Mason University Fairfax, VA ii Copyright °c 2005 by Milind M. Parelkar All Rights Reserved iii Acknowledgments I would like to thank Dr. Kris Gaj for helping me throughout the course of this research. Special thanks to Pawel Chodowiec, without whose help, it would have been very di±cult to come up with good results, on time. iv Table of Contents Page Abstract . xii 1 Authenticated Encryption - Introduction and Motivation . 1 1.1 Cryptographic Goals . 1 1.2 What is Authenticated - Encryption? . 2 1.3 Target Applications for Authenticated - Encryption . 7 1.3.1 Encryption and Authentication of FPGA Bitstream . 7 1.3.2 Authenticated - Encryption in 802.11 Wireless LANs . 11 1.4 Authentication Techniques . 12 1.4.1 Hash Functions . 12 1.4.2 Message Authentication Codes (MACs) . 13 1.4.3 Authenticated-Encryption using Modes of Operations of Block Ciphers . 16 1.5 Need and Criteria for Comparison of Hardware Implementations . 17 1.6 Previous Work . 19 2 Methodology for Comparison of Authentication Techniques . 20 2.1 Scope of this Research . 20 2.1.1 Implementation Goals for Modes of Operations . 22 2.2 Tools, Design Process and Synthesis Parameters . 24 3 Authentication with Keyed HMACs . 27 3.1 Secure Hash Standard - SHA . 27 3.1.1 Hardware Implementation of SHA-1 . 28 3.2 Keyed-Hash Message Authentication Code (HMAC) . 34 3.2.1 Hardware Implementation of HMAC SHA-1 . 36 4 OCB Mode of Operation . 39 4.1 Introduction . 39 4.1.1 OCB Encryption and Decryption . 39 v 4.2 Hardware Implementation of OCB Mode . 42 4.2.1 Datapath Design . 43 4.2.2 Design of Control Logic . 51 5 CCM Mode of Operation . 54 5.1 Introduction . 54 5.1.1 CCM Encryption and Decryption . 54 5.2 Hardware Implementation of CCM Module . 58 5.2.1 Datapath Design . 58 5.2.2 Design of Control Logic . 63 6 EAX Mode of Operation . 66 6.1 Introduction . 66 6.1.1 EAX Encryption and Decryption . 66 6.1.2 Modi¯ed OMAC Operation . 68 6.2 Hardware Implementation of EAX mode . 70 6.2.1 Datapath Design . 71 6.2.2 Design of Control Logic . 75 7 Implementation Results . 76 7.1 Throughput Computations for Modes of Operations and Generic Com- position Schemes . 76 7.1.1 ECB Mode of Operation . 77 7.1.2 OCB Mode of Operation . 78 7.1.3 CCM Mode of Operation . 79 7.1.4 EAX Mode of Operation . 79 7.1.5 Generic Composition Schemes - AES + HMAC . 80 7.2 FPGA Implementation Results . 81 7.2.1 Implementation of Modes with AES . 81 7.2.2 Implementation of Modes with Two¯sh . 84 7.2.3 Implementation of Modes with Serpent . 86 7.2.4 Implementation of Generic Composition Schemes . 86 7.3 ASIC Synthesis Results . 88 7.3.1 Implementation of Modes with AES . 90 7.3.2 Implementation of Modes with Two¯sh . 94 7.3.3 Implementation of Modes with Serpent . 94 vi 7.3.4 Implementation of Generic Composition Schemes - AES + HMAC 97 8 Analysis of Results . 103 8.1 Analysis of Results of FPGA Implementations . 103 8.1.1 Comparison of Authenticated-Encryption Modes of Operation with Generic Composition Schemes . 103 8.1.2 Comparison of Modes of Operations Based on Di®erent Ciphers 106 8.1.3 Comparison of Throughput/Area Ratio for FPGA Implemen- tations . 106 8.2 Analysis of Results of ASIC Synthesis . 108 8.2.1 Comparison of Authenticated-Encryption Modes of Operation with Generic Composition Schemes . 110 8.2.2 Comparison of Modes of Operations Based on Di®erent Ciphers 113 8.2.3 Comparison of Throughput/Area Ratio for ASIC Synthesis . 113 9 Modi¯cations, Optimizations and Future Work . 116 9.1 Modi¯cations for Improving Throughput . 116 9.2 Modi¯cations for Reducing the Circuit Area . 119 9.3 Projected Bene¯ts from Optimizations . 121 9.4 Summary . 122 10 Summary . 123 Bibliography . 126 vii List of Tables Table Page 3.1 Comparison of Secure Hash Algorithms . 27 4.1 Truth Table for Priority Encoder ntz 8 . 48 5.1 CCM Block Types and Operations . 56 5.2 CCM Nonce Format . 61 5.3 CCM Block B[0] Format . 62 5.4 CCM Flags Format . 62 5.5 First Associated Data Frame Format (Block B[1]) . 62 5.6 Order of Operations in Hardware Implementation of CCM . 65 7.1 Number of Rounds and Pipeline Stages per Round used in the Hard- ware Implementations of Block Ciphers . 77 7.2 FPGA Implementation Results for Modes of Operation with AES . 82 7.3 Comparison of FPGA Implementation Results - AES-ECB and AES- OCB.................................... 82 7.4 Comparison of FPGA Implementation Results - AES-ECB and AES- CCM.................................... 83 7.5 Comparison of FPGA Implementation Results - AES-ECB and AES- EAX.................................... 83 7.6 FPGA Implementation Results for Modes of Operation with Two¯sh 84 7.7 Comparison of FPGA Implementation Results - Two¯sh-ECB and Two¯sh-OCB . 84 7.8 Comparison of FPGA Implementation Results - Two¯sh-ECB and Two¯sh-CCM . 85 7.9 Comparison of FPGA Implementation Results - Two¯sh-ECB and Two¯sh-EAX . 85 7.10 FPGA Implementation Results for Modes of Operation with Serpent 86 viii 7.11 Comparison of FPGA Implementation Results - Serpent-ECB and Serpent- OCB.................................... 87 7.12 Comparison of FPGA Implementation Results - Serpent-ECB and Serpent- CCM.................................... 87 7.13 Comparison of FPGA Implementation Results - Serpent-ECB and Serpent- EAX.................................... 87 7.14 FPGA Implementation Results for Generic Composition Schemes . 88 7.15 Comparison of FPGA Implementation Results - AES-ECB and AES+HMAC SHA-1 . 89 7.16 Comparison of FPGA Implementation Results - AES-ECB and AES+HMAC SHA-512 . 89 7.17 ASIC Synthesis Results for Modes of Operation with AES (90 nm) . 90 7.18 Comparison of ASIC Synthesis Results - AES-ECB and AES-OCB (90 nm) .................................... 91 7.19 Comparison of ASIC Synthesis Results - AES-ECB and AES-CCM (90 nm) .................................... 91 7.20 Comparison of ASIC Synthesis Results - AES-ECB and AES-EAX (90 nm) .................................... 92 7.21 ASIC Synthesis Results for Modes of Operation with AES (130 nm) . 92 7.22 Comparison of ASIC Synthesis Results - AES-ECB and AES-OCB (130 nm) .................................... 92 7.23 Comparison of ASIC Synthesis Results - AES-ECB and AES-CCM (130 nm) . 93 7.24 Comparison of ASIC Synthesis Results - AES-ECB and AES-EAX (130 nm) .................................... 93 7.25 ASIC Synthesis Results for Modes of Operation with Two¯sh (90 nm) 94 7.26 Comparison of ASIC Synthesis Results - Two¯sh-ECB and Two¯sh- OCB (90 nm) . 95 7.27 Comparison of ASIC Synthesis Results - Two¯sh-ECB and Two¯sh- CCM (90 nm) . 95 7.28 Comparison of ASIC Synthesis Results - Two¯sh-ECB and Two¯sh- EAX (90 nm) . 95 ix 7.29 ASIC Synthesis Results for Modes of Operation with Two¯sh (130 nm) 96 7.30 Comparison of ASIC Synthesis Results - Two¯sh-ECB and Two¯sh- OCB (130 nm) . 96 7.31 Comparison of ASIC Synthesis Results - Two¯sh-ECB and Two¯sh- CCM (130 nm) . 96 7.32 Comparison of ASIC Synthesis Results - Two¯sh-ECB and Two¯sh- EAX (130 nm) . 97 7.33 ASIC Synthesis Results for Modes of Operation with Serpent (90 nm) 97 7.34 Comparison of ASIC Synthesis Results - Serpent-ECB and Serpent- OCB (90 nm) . 98 7.35 Comparison of ASIC Synthesis Results - Serpent-ECB and Serpent- CCM (90 nm) . 98 7.36 Comparison of ASIC Synthesis Results - Serpent-ECB and Serpent- EAX (90 nm) . 98 7.37 ASIC Synthesis Results for Modes of Operation with Serpent (130 nm) 99 7.38 Comparison of ASIC Synthesis Results - Serpent-ECB and Serpent- OCB (130 nm) . 99 7.39 Comparison of ASIC Synthesis Results - Serpent-ECB and Serpent- CCM (130 nm) . 99 7.40 Comparison of ASIC Synthesis Results - Serpent-ECB and Serpent- EAX (130 nm) . 100 7.41 ASIC Synthesis Results for Generic Composition Schemes(90 nm) . 101 7.42 Comparison of ASIC Synthesis Results - AES-ECB and AES+HMAC SHA-1(90 nm) . 101 7.43 Comparison of ASIC Synthesis Results - AES-ECB and AES+HMAC SHA-512(90 nm) . 101 7.44 ASIC Synthesis Results for Generic Composition Schemes(130 nm) . 102 7.45 Comparison of ASIC Synthesis Results - AES-ECB and AES+HMAC SHA-1(130 nm) . 102 7.46 Comparison of ASIC Synthesis Results - AES-ECB and AES+HMAC SHA-512(130 nm) . 102 x List of Figures Figure Page 1.1 ECB Mode of Operation . ..
Load more

Recommended publications
  • SHA-3 Update
    SHA+3%update% %% % Quynh%Dang% Computer%Security%Division% ITL,%NIST% IETF%86% SHA-3 Competition 11/2/2007% SHA+3%CompeDDon%Began.% 10/2/2012% Keccak&announced&as&the&SHA13&winner.& IETF%86% Secure Hash Algorithms Outlook ► SHA-2 looks strong. ► We expect Keccak (SHA-3) to co-exist with SHA-2. ► Keccak complements SHA-2 in many ways. Keccak is good in different environments. Keccak is a sponge - a different design concept from SHA-2. IETF%86% Sponge Construction Sponge capacity corresponds to a security level: s = c/2. IETF%86% SHA-3 Selection ► We chose Keccak as the winner because of many different reasons and below are some of them: ► It has a high security margin. ► It received good amount of high-quality analyses. ► It has excellent hardware performance. ► It has good overall performance. ► It is very different from SHA-2. ► It provides a lot of flexibility. IETF%86% Keccak Features ► Keccak supports the same hash-output sizes as SHA-2 (i.e., SHA-224, -256, -384, -512). ► Keccak works fine with existing applications, such as DRBGs, KDFs, HMAC and digital signatures. ► Keccak offers flexibility in performance/security tradeoffs. ► Keccak supports tree hashing. ► Keccak supports variable-length output. IETF%86% Under Consideration for SHA-3 ► Support for variable-length hashes ► Considering options: ► One capacity: c = 512, with output size encoding, ► Two capacities: c = 256 and c = 512, with output size encoding, or ► Four capacities: c = 224, c = 256, c=384, and c = 512 without output size encoding (preferred by the Keccak team). ► Input format for SHA-3 hash function(s) will contain a padding scheme to support tree hashing in the future.
    [Show full text]
  • Lecture9.Pdf
    Merkle- Suppose H is a Damgaord hash function built from a secure compression function : several to build a function ways keyed : m : = H Ilm 1 . end FCK ) (k ) Prep key , " " ↳ - Insecure due to structure of Merkle : can mount an extension attack: H (KH m) can Barnyard given , compute ' Hlkllmllm ) by extending Merkle- Danged chain = : m : 2 . FCK ) 11k) Append key , Hlm ↳ - - to : Similar to hash then MAC construction and vulnerable same offline attack adversary finds a collision in the - - > Merkle and uses that to construct a for SHA I used PDF files Barnyard prefix forgery f , they ↳ - Structure in SHA I (can matches exploited collision demonstration generate arbitrary collisions once prefix ) ' = : FCK m - H on h 3. method , ) ( K HMH K) for reasonable randomness ( both Envelope pseudo assumptions e.g , : = - = i - - : F ( m m } : h K m h m k 4. nest ( ki ) H Ck H (k m ( , and m ( ) is a PRF both Two , kz , ) (ka HH , )) F- , ) ) Falk , ) , ) key , - of these constructions are secure PRFS on a variable size domain hash- based MAC ✓ a the - nest with correlated : HMAC is PRF / MAC based on two key (though keys) : = m H H ka m HMACCK ( K H ( , )) , ) , where k ← k ④ and kz ← k to , ipad opad and and are fixed ( in the HMAC standard) ipad opad strings specified I 0×36 repeated %x5C repeated : k . a Since , and ka are correlated need to make on h remains under Sety , stronger assumption security leg , pseudorandom related attack) Instantiations : denoted HMAC- H where H is the hash function Typically , HMAC- SHAI %" - - HMAC SHA256
    [Show full text]
  • Analysis of Selected Block Cipher Modes for Authenticated Encryption
    Analysis of Selected Block Cipher Modes for Authenticated Encryption by Hassan Musallam Ahmed Qahur Al Mahri Bachelor of Engineering (Computer Systems and Networks) (Sultan Qaboos University) – 2007 Thesis submitted in fulfilment of the requirement for the degree of Doctor of Philosophy School of Electrical Engineering and Computer Science Science and Engineering Faculty Queensland University of Technology 2018 Keywords Authenticated encryption, AE, AEAD, ++AE, AEZ, block cipher, CAESAR, confidentiality, COPA, differential fault analysis, differential power analysis, ElmD, fault attack, forgery attack, integrity assurance, leakage resilience, modes of op- eration, OCB, OTR, SHELL, side channel attack, statistical fault analysis, sym- metric encryption, tweakable block cipher, XE, XEX. i ii Abstract Cryptography assures information security through different functionalities, es- pecially confidentiality and integrity assurance. According to Menezes et al. [1], confidentiality means the process of assuring that no one could interpret infor- mation, except authorised parties, while data integrity is an assurance that any unauthorised alterations to a message content will be detected. One possible ap- proach to ensure confidentiality and data integrity is to use two different schemes where one scheme provides confidentiality and the other provides integrity as- surance. A more compact approach is to use schemes, called Authenticated En- cryption (AE) schemes, that simultaneously provide confidentiality and integrity assurance for a message. AE can be constructed using different mechanisms, and the most common construction is to use block cipher modes, which is our focus in this thesis. AE schemes have been used in a wide range of applications, and defined by standardisation organizations. The National Institute of Standards and Technol- ogy (NIST) recommended two AE block cipher modes CCM [2] and GCM [3].
    [Show full text]
  • GCM) for Confidentiality And
    NIST Special Publication 800-38D Recommendation for Block DRAFT (April, 2006) Cipher Modes of Operation: Galois/Counter Mode (GCM) for Confidentiality and Authentication Morris Dworkin C O M P U T E R S E C U R I T Y Abstract This Recommendation specifies the Galois/Counter Mode (GCM), an authenticated encryption mode of operation for a symmetric key block cipher. KEY WORDS: authentication; block cipher; cryptography; information security; integrity; message authentication code; mode of operation. i Table of Contents 1 PURPOSE...........................................................................................................................................................1 2 AUTHORITY.....................................................................................................................................................1 3 INTRODUCTION..............................................................................................................................................1 4 DEFINITIONS, ABBREVIATIONS, AND SYMBOLS.................................................................................2 4.1 DEFINITIONS AND ABBREVIATIONS .............................................................................................................2 4.2 SYMBOLS ....................................................................................................................................................4 4.2.1 Variables................................................................................................................................................4
    [Show full text]
  • The EAX Mode of Operation
    A preliminary version of this papers appears in Fast Software Encryption ’04, Lecture Notes in Computer Science, vol. ?? , R. Bimal and W. Meier ed., Springer-Verlag, 2004. This is the full version. The EAX Mode of Operation (A Two-Pass Authenticated-Encryption Scheme Optimized for Simplicity and Efficiency) ∗ † ‡ M. BELLARE P. ROGAWAY D. WAGNER January 18, 2004 Abstract We propose a block-cipher mode of operation, EAX, for solving the problem of authenticated-encryption with associated-data (AEAD). Given a nonce N, a message M, and a header H, our mode protects the privacy of M and the authenticity of both M and H. Strings N, M, and H are arbitrary bit strings, and the mode uses 2|M|/n + |H|/n + |N|/n block-cipher calls when these strings are nonempty and n is the block length of the underlying block cipher. Among EAX’s characteristics are that it is on-line (the length of a message isn’t needed to begin processing it) and a fixed header can be pre-processed, effectively removing the per-message cost of binding it to the ciphertext. EAX is obtained by first creating a generic-composition method, EAX2, and then collapsing its two keys into one. EAX is provably secure under a standard complexity-theoretic assumption. The proof of this fact is novel and involved. EAX is an alternative to CCM [26], which was created to answer the wish within standards bodies for a fully-specified and patent-free AEAD mode. As such, CCM and EAX are two-pass schemes, with one pass for achieving privacy and one for authenticity.
    [Show full text]
  • Patent-Free Authenticated-Encryption As Fast As OCB
    Patent-Free Authenticated-Encryption As Fast As OCB Ted Krovetz Computer Science Department California State University Sacramento, California, 95819 USA [email protected] Abstract—This paper presents an efficient authenticated encryp- VHASH hash family [4]. The resulting authenticated encryp- tion construction based on a universal hash function and block tion scheme peaks at 12.8 cpb, while OCB peaks at 13.9 cpb in cipher. Encryption is achieved via counter-mode while authenti- our experiments. The paper closes with a performance com- cation uses the Wegman-Carter paradigm. A single block-cipher parison of several well-known authenticated encryption algo- key is used for both operations. The construction is instantiated rithms [6]. using the hash functions of UMAC and VMAC, resulting in authenticated encryption with peak performance about ten per- cent slower than encryption alone. II. SECURITY DEFINITIONS We adopt the notions of security from [7], and summarize Keywords- Authenticated encryption, block-cipher mode-of- them less formally here. An authenticated encryption with as- operation, AEAD, UMAC, VMAC. sociated data (AEAD) scheme is a triple S = (K,E,D), where K is a set of keys, and E and D are encryption and decryption I. INTRODUCTION functions. Encryption occurs by computing E(k,n,h,p,f), which Traditionally when one wanted to both encrypt and authen- returns (c,t), for key k, nonce n, header h, plaintext m and ticate communications, one would encrypt the message under footer f. Ciphertext c is the encryption of p, and tag t authenti- one key and authenticate the resulting ciphertext under a sepa- cates h, c and f.
    [Show full text]
  • Speeding up OMD Instantiations in Hardware
    Speeding Up OMD Instantiations in Hardware Diana Maimuţ1[0000−0002−9541−5705] and Alexandru Ştefan Mega1,2[0000−0002−9541−1114] 1 Advanced Technologies Institute 10 Dinu Vintilă, Bucharest, Romania {diana.maimut,ati}@dcti.ro 2 Politehnica University of Bucharest Bucharest, Romania [email protected] Abstract. Particular instantiations of the Offset Merkle Damgård au- thenticated encryption scheme (OMD) represent highly secure alterna- tives for AES-GCM. It is already a fact that OMD can be efficiently implemented in software. Given this, in our paper we focus on speeding- up OMD in hardware, more precisely on FPGA platforms. Thus, we propose a new OMD instantiation based on the compression function of BLAKE2b. Moreover, to the best of our knowledge, we present the first FPGA implementation results for the SHA-512 instantiation of OMD as well as the first architecture of an online authenticated encryption system based on OMD. Keywords: Authenticated encryption, pseudorandom function, compression function, provable security, FPGA, hardware optimization, nonce respecting ad- versaries. 1 Introduction Authenticated encryption (AE) primitives ensure both message confidentiality and authenticity. Initially, AE algorithms achieved confidentiality and integrity by combining two distinct cryptographic primitives (one for each of the two goals). Around two decades ago the perspective of having a unique primitive for confidentiality and integrity started to appear. Rogaway [16] extended AE schemes by adding a new type of input for associated data (AD) and, thus, AEAD (authenticated encryption with associated data) was the next step. Such a model is helpful in real world scenario in which part of the message (e.g. a header) needs only to be authenticated.
    [Show full text]
  • Modes of Operation for Compressed Sensing Based Encryption
    Modes of Operation for Compressed Sensing based Encryption DISSERTATION zur Erlangung des Grades eines Doktors der Naturwissenschaften Dr. rer. nat. vorgelegt von Robin Fay, M. Sc. eingereicht bei der Naturwissenschaftlich-Technischen Fakultät der Universität Siegen Siegen 2017 1. Gutachter: Prof. Dr. rer. nat. Christoph Ruland 2. Gutachter: Prof. Dr.-Ing. Robert Fischer Tag der mündlichen Prüfung: 14.06.2017 To Verena ... s7+OZThMeDz6/wjq29ACJxERLMATbFdP2jZ7I6tpyLJDYa/yjCz6OYmBOK548fer 76 zoelzF8dNf /0k8H1KgTuMdPQg4ukQNmadG8vSnHGOVpXNEPWX7sBOTpn3CJzei d3hbFD/cOgYP4N5wFs8auDaUaycgRicPAWGowa18aYbTkbjNfswk4zPvRIF++EGH UbdBMdOWWQp4Gf44ZbMiMTlzzm6xLa5gRQ65eSUgnOoZLyt3qEY+DIZW5+N s B C A j GBttjsJtaS6XheB7mIOphMZUTj5lJM0CDMNVJiL39bq/TQLocvV/4inFUNhfa8ZM 7kazoz5tqjxCZocBi153PSsFae0BksynaA9ZIvPZM9N4++oAkBiFeZxRRdGLUQ6H e5A6HFyxsMELs8WN65SCDpQNd2FwdkzuiTZ4RkDCiJ1Dl9vXICuZVx05StDmYrgx S6mWzcg1aAsEm2k+Skhayux4a+qtl9sDJ5JcDLECo8acz+RL7/ ovnzuExZ3trm+O 6GN9c7mJBgCfEDkeror5Af4VHUtZbD4vALyqWCr42u4yxVjSj5fWIC9k4aJy6XzQ cRKGnsNrV0ZcGokFRO+IAcuWBIp4o3m3Amst8MyayKU+b94VgnrJAo02Fp0873wa hyJlqVF9fYyRX+couaIvi5dW/e15YX/xPd9hdTYd7S5mCmpoLo7cqYHCVuKWyOGw ZLu1ziPXKIYNEegeAP8iyeaJLnPInI1+z4447IsovnbgZxM3ktWO6k07IOH7zTy9 w+0UzbXdD/qdJI1rENyriAO986J4bUib+9sY/2/kLlL7nPy5Kxg3 Et0Fi3I9/+c/ IYOwNYaCotW+hPtHlw46dcDO1Jz0rMQMf1XCdn0kDQ61nHe5MGTz2uNtR3bty+7U CLgNPkv17hFPu/lX3YtlKvw04p6AZJTyktsSPjubqrE9PG00L5np1V3B/x+CCe2p niojR2m01TK17/oT1p0enFvDV8C351BRnjC86Z2OlbadnB9DnQSP3XH4JdQfbtN8 BXhOglfobjt5T9SHVZpBbzhDzeXAF1dmoZQ8JhdZ03EEDHjzYsXD1KUA6Xey03wU uwnrpTPzD99cdQM7vwCBdJnIPYaD2fT9NwAHICXdlp0pVy5NH20biAADH6GQr4Vc
    [Show full text]
  • Hashes, Macs & Authenticated Encryption Today's Lecture Hashes
    Today’s Lecture • Hashes and Message Authentication Codes Hashes, MACs & • Properties of Hashes and MACs Authenticated Encryption • CBC-MAC, MAC -> HASH (slow), • SHA1, SHA2, SHA3 Tom Chothia • HASH -> MAC, HMAC ICS Lecture 4 • Authenticated Encryption – CCM Hashes Signatures l A hash of any message is a short string • Using RSA Epub(Dpriv(M)) = M generated from that message. • This can be used to sign messages. l The hash of a message is always the same. l Any small change makes the hash totally • Sign a message with the private key and this can be different. verified with the public key. l It is very hard to go from the hash to the message. • Any real crypto suite will not use the same key for encryption and signing. l It is very unlikely that any two different messages have the same hash. – as this can be used to trick people into decrypting. Signatures Uses of Hashing Alice has a signing key Ks • Download/Message verification and wants to sign message M Plain Text • Tying parts of a message together (hash the whole message) Detached Signature: Dks(#(M)) RSA decrypt with key ks SHA hash • Hash message, then sign the hash. • Protect Passwords Signed: M,Dks(#(M)) – Store the hash, not the password 1 Attacks on hashes Birthday Paradox • Preimage Attack: Find a message for a • How many people do you need to ask given hash: very hard. before you find 2 that have the same birthday? • Prefix Collision Attack: a collision attack where the attacker can pick a prefix for • 23 people, gives (23*22)/2 = 253 pairs.
    [Show full text]
  • Message Authentication Codes
    MessageMessage AuthenticationAuthentication CodesCodes Was this message altered? Did he really send this? Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 [email protected] Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/ Washington University in St. Louis CSE571S ©2011 Raj Jain 12-1 OverviewOverview 1. Message Authentication 2. MACS based on Hash Functions: HMAC 3. MACs based on Block Ciphers: DAA and CMAC 4. Authenticated Encryption: CCM and GCM 5. Pseudorandom Number Generation Using Hash Functions and MACs These slides are based partly on Lawrie Brown’s slides supplied with William Stallings’s book “Cryptography and Network Security: Principles and Practice,” 5th Ed, 2011. Washington University in St. Louis CSE571S ©2011 Raj Jain 12-2 MessageMessage SecuritySecurity RequirementsRequirements Disclosure Traffic analysis Masquerade Content modification Sequence modification Timing modification Source repudiation Destination repudiation Message Authentication = Integrity + Source Authentication Washington University in St. Louis CSE571S ©2011 Raj Jain 12-3 PublicPublic--KeyKey AuthenticationAuthentication andand SecrecySecrecy A B’s Public A’s PrivateMessage B A Key Key B Double public key encryption provides authentication and integrity. Double public key Very compute intensive Crypto checksum (MAC) is better. Based on a secret key and the message. Can also encrypt with the same or different key. Washington University in St. Louis CSE571S ©2011 Raj Jain 12-4 MACMAC PropertiesProperties A MAC is a cryptographic checksum MAC = CK(M) Condenses a variable-length message M using a secret key To a fixed-sized authenticator Is a many-to-one function Potentially many messages have same MAC But finding these needs to be very difficult Properties: 1.
    [Show full text]
  • Authenticated Encryption Mode IAPM Using SHA-3'S Public Random
    Authenticated Encryption Mode IAPM using SHA-3’s Public Random Permutation Charanjit Jutla IBM T. J. Watson Research Center New York 10598 Abstract. We study instantiating the random permutation of the block- cipher mode of operation IAPM (Integrity-Aware Parallelizable Mode) with the public random permutation of Keccak, on which the draft stan- dard SHA-3 is built. IAPM and the related mode OCB are single-pass highly parallelizable authenticated-encryption modes, and while they were originally proven secure in the private random permutation model, Kurosawa has shown that they are also secure in the public random per- mutation model assuming the whitening keys are uniformly chosen with double the usual entropy. In this paper, we show a general composabil- ity result that shows that the whitening key can be obtained from the usual entropy source by a key-derivation function which is itself built on Keccak. We stress that this does not follow directly from the usual indifferentiability of key-derivation function constructions from Random Oracles. We also show that a simple and general construction, again employing Keccak, can also be used to make the IAPM scheme key- dependent-message secure. Finally, implementations on modern AMD-64 architecture supporting 128-bit SIMD instructions, and not supporting the native AES instructions, show that IAPM with Keccak runs three times faster than IAPM with AES. 1 Introduction Symmetric key encryption of bulk data is usually performed using either a stream cipher or a block cipher. A long message is divided into small fixed-size blocks and encryption is performed by either a stream-cipher mode or a block-cipher mode employing a cryptographic primitive that operates on blocks.
    [Show full text]
  • Secret-Key Encryption Introduction
    Secret-Key Encryption Introduction • Encryption is the process of encoding a message in such a way that only authorized parties can read the content of the original message • History of encryption dates back to 1900 BC • Two types of encryption • secret-key encryption : same key for encryption and decryption • pubic-key encryption : different keys for encryption and decryption • We focus on secret-key encryption in this chapter Substitution Cipher • Encryption is done by replacing units of plaintext with ciphertext, according to a fixed system. • Units may be single letters, pairs of letters, triplets of letters, mixtures of the above, and so forth • Decryption simply performs the inverse substitution. • Two typical substitution ciphers: • monoalphabetic - fixed substitution over the entire message • Polyalphabetic - a number of substitutions at different positions in the message Monoalphabetic Substitution Cipher • Encryption and decryption Breaking Monoalphabetic Substitution Cipher • Frequency analysis is the study of the frequency of letters or groups of letters in a ciphertext. • Common letters : T, A, E, I, O • Common 2-letter combinations (bigrams): TH, HE, IN, ER • Common 3-letter combinations (trigrams): THE, AND, and ING Breaking Monoalphabetic Substitution Cipher • Letter Frequency Analysis results: Breaking Monoalphabetic Substitution Cipher • Bigram Frequency Analysis results: Breaking Monoalphabetic Substitution Cipher • Trigram Frequency analysis results: Breaking Monoalphabetic Substitution Cipher • Applying the partial mappings… Data Encryption Standard (DES) • DES is a block cipher - can only encrypt a block of data • Block size for DES is 64 bits • DES uses 56-bit keys although a 64-bit key is fed into the algorithm • Theoretical attacks were identified. None was practical enough to cause major concerns.
    [Show full text]